terraform-google-modules/terraform-google-vault

Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt'

thedarkwriter opened this issue · 3 comments

thedarkwriter commented

I ran into an issue incorporating the vault module.

Everything would run fine until the module reached this resource: "google_kms_secret_ciphertext" "vault-tls-key-encrypted"
and received this error:

Error: Error creating SecretCiphertext: googleapi: Error 403: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'projects/myproject/locations/us-central1/keyRings/vault/cryptoKeys/vault-init' (or it may not exist).

I get this error even though my terraform account had this Role "Cloud KMS CryptoKey Encrypter/Decrypter"

After some heavy research, I found that the key itself needed permissions from my account. When reviewing the permissions of the key, I saw that it was granted permissions from the Vault service account (created by this module), so the permissions looked like so:

gcloud kms keys get-iam-policy vault-init \ 
    --keyring vault \
    --location us-central1 --project myproject
bindings:
- members:
  - serviceAccount:vault-admin-dev@myproject.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwWrrjINK5c=
version: 1

After I added my terraform service account, I was able to deploy everything in the module

gcloud kms keys add-iam-policy-binding vault-init \         
    --keyring vault \
    --location us-central1 \
    --member serviceAccount:johnfahl@myproject.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project dh-dev-242811
...
Updated IAM policy for key [vault-init].
bindings:
- members:
  - serviceAccount:johnfahl@myproject.iam.gserviceaccount.com
  - serviceAccount:vault-admin-dev@myproject.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwWsDh8WlhE=

So, this is great. But as I create the next environments, I'd like to have a depends_on for the vault-init key before setting the permission on my service account, before the run tries to call the encrypt resource block to encrypt the vault.crt.

I'd like to add the vault-init kms key to have an output so that I can call it from another module. Other's may need to do this too.

Thank you!

thedarkwriter commented

Can I just create a PR for this?

onetwopunch commented

Thanks for submitting this. If you have the time to submit a PR or would be greatly appreciated

github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days